2024/16 Weekly Update from the MCE SIG “City ISAC I4C+” Highlights: NIS2 or CER? / Disaster Recovery of Third-Party Infrastructure Providers to alternatives is helpful / Sneaker Interfaces are acceptable and sometimes preferred / CRR Community Webinar: “From Security to Resilience: A look at digital resilience of local and regional authorities (LRAs) across Europe”, 22nd May 2024, 10:00-11:30 CET / Upcoming webinar of “Accelerating NIS2 Compliance with Benchmarking and AI Support” – New Date Pending

2024/16 Weekly Update from the MCE SIG “City ISAC I4C+” Highlights: NIS2 or CER? / Disaster Recovery of Third-Party Infrastructure Providers to alternatives is helpful / Sneaker Interfaces are acceptable and sometimes preferred /CRR Community Webinar: “From Security to Resilience: A look at digital resilience of local and regional authorities (LRAs) across Europe”, 22nd May 2024, 10:00-11:30 CET / Upcoming webinar of “Accelerating NIS2 Compliance with Benchmarking and AI Support” – New Date Pending

** For Back Issues see https://isac4cities.eu/blog **

The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.

Weekly [TLP:RED]

Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.

This week´s thoughts are based on the scope of essential services your public administration subscribes to, operates, and manages, including what IT systems support their delivery.

• Weekly [TLP:RED] for Publicly Elected Officials: Make sure your leadership team has your personal mobile number stored on their personal phones so that they can reach you in the event of an emergency – major cyber breaches may well disable official (mobile) phone solutions.
• Weekly [TLP:RED] for Essential Services Managers: Regular local data backups to external storage devices are a cyber hazard, but they can save you in the event of a major cyber breach.
• Weekly [TLP:RED] for IT Leaders: Ensure you have an alternative third-party service provider as disaster recovery alternative and test switching back and forth regularly.

Summary

Hi everyone and hope you are well – four cities from Croatia, Estonia, Ireland and Italy joining on Friday morning – two of us actually officially on holidays but still in for a coffee chat with friends 😊

One of our colleagues updated us on his progress in developing a national ISAC for municipalities and especially the ongoing results of vulnerability scanning being done on such organisations. This then brought us to a discussion on the important of finding “exploitable” vulnerabilities and considering them, reflecting on which ones could actually disrupt those services which “…play an indispensable role in the maintenance of vital societal functions…” (See the CER Directive (Directive on the resilience of critical entities) – https://eur-lex.europa.eu/eli/dir/2022/2557/oj.) Examples of services like these are perhaps drinking water, electricity, heating gas, traffic management, police / fire services etc. We reflected a lot on, in a situation where we have significant resource shortages, whether protecting such services might not actually be a lot more important than preventing degradation on e-government services? One member´s IT department used to have 47 full-time staff – done to only 5 now and they are obviously only able to “keep the lights on” ….

We then discussed a draft of the “Project “VAUBAN” – 2024 Multi-ISAC Tabletop” (see below as well) and did see how digitalisation is overall not making things safer – especially when it comes to the above-mentioned critical infrastructure services. Or rather, it is not the digital enablement per se that is the issue, the issue is connecting those services to the public Internet in any way (and no, giving this responsibility to third party service providers is not the solution). Since most of the critical infrastructure services remain on legacy IT kit and are often “air-gapped” to the public internet by default, we may be in a relatively good position – until someone comes along and wants to change that…. This then considered we may actually be better of focusing on CER versus NIS2 – with ever dwindling resources to maintain vital social functions…

I asked CoPilot to create an image of a “sneaker interface” and it came up with the below – yes, we still need to transfer data and flash drives are quite prominent in this respect (and they pose a whole host of other hazards). But seriously – in the current geo-political climate, and with limited resources – NIS2 or CER? The answer should be a no-brainer.

Cheers

Oliver

Insights from Chatbots

I was curious about the opinion of Bing Chat about why it is important for public administrations to know which of their essential services manage GDPR relevant data and how robust their security controls are? The AI responded as per below:

“It’s crucial for public administrations to be aware of which essential services manage GDPR-relevant data and the robustness of their security controls for several reasons:

1. **Compliance with Legal Obligations**: Public administrations must comply with the GDPR when processing personal data. This includes respecting key principles such as fair and lawful processing, purpose limitation, data minimisation, and data retention¹.

2. **Protection of Personal Data**: The GDPR requires that appropriate technical and organisational measures are implemented to secure personal data. This is vital to protect the data from accidental or unlawful disclosure and to ensure its availability and integrity¹.

3. **Transparency and Accountability**: Knowing which services handle GDPR-relevant data helps in maintaining transparency in data handling and establishes accountability for data protection³.

4. **Risk Management**: Understanding the security controls in place allows public administrations to assess and mitigate risks related to data breaches and cyber threats¹.

5. **Public Trust**: Robust security controls and compliance with GDPR enhance public trust in how personal data is managed by public administrations⁵.

6. **Avoidance of Sanctions**: Non-compliance with GDPR can lead to sanctions, including fines and suspension of data processing activities².

7. **Data Subject Rights**: Public administrations need to deal with requests from individuals regarding their data rights under the GDPR, such as access to data and correction of inaccuracies².

In essence, it’s about ensuring the privacy and protection of individuals’ data, upholding the law, and maintaining the integrity and trustworthiness of public services.

Source: Conversation with Bing, 09/05/2024

(1) What are the main aspects of the General Data Protection Regulation …. https://commission.europa.eu/law/law-topic/data-protection/reform/rules-business-and-organisations/public-administrations-and-data-protection/what-are-main-aspects-general-data-protection-regulation-gdpr-public-administration-should-be-aware_en.

(2) What is GDPR compliance: A comprehensive guide – Thoropass. https://thoropass.com/blog/compliance/what-is-gdpr-compliance/.

(3) The Importance of GDPR Compliance: Protecting User … – GDPR Advisor. https://www.gdpr-advisor.com/the-importance-of-gdpr-compliance-protecting-user-privacy-in-the-digital-age/ .

(4) Public administrations and data protection – European Commission. https://commission.europa.eu/law/law-topic/data-protection/reform/rules-business-and-organisations/public-administrations-and-data-protection_en.

(5) What Is GDPR? | Coursera. https://www.coursera.org/articles/what-is-gdpr.”

In the News

• Interesting early use cases about AI in Local Government from USA – some early Use Cases about AI in US Local Government published in an article reported in the newsletter of our US partner, the Public Technology Institute: https://statetechmagazine.com/article/2024/05/local-governments-are-developing-early-ai-use-cases-cios-say. It would be interesting to gather similar use cases from our European members. If you have already such an experience, please send an overview that we will share among us.
• Very nicely described how Kremlin-Backed APT28 Targets Polish Institutions in Large-Scale Malware Campaign. See https://thehackernews.com/2024/05/kremlin-backed-apt28-targets-polish.html.

City ISAC Services (Member Funded)

We have published our services at https://isac4cities.eu/services-offered and are now proceeding to establish collaboration agreements with third parties we have been working with for a while. These will include joint marketing and enablement plans. Please do review and consider reaching out to include such in your activities and budgets.

One key service is about “Creating Intelligence” and related to “(Joint) Benchmarking Cyber Solutions (Defence in Depth): We gather the Defence in Depth solutions of your organisation, assess them against best-practice and make specific recommendations to enhance the protection offered. Joint reviews with other organisations we perform this service for are conducted quarterly.” – the unique piece is that we can help understand the “real” challenges of deploying solutions and thus help avoid the piecemeal “pilot” approaches that never really enhance protection.

Note that the date for our next webinar in collaboration with I-Trust with a draft title of “Accelerating NIS2 Compliance with Benchmarking and AI Support” will probably be moving into the first week of June – once confirmed we will let you know. The webinar focuses on helping local and regional public administrations to accelerate their journey to NIS2 compliance with the help of generally available AI solutions such as Microsoft Co-Pilot in combination with expert assessment questions that also allow for benchmarking across local and regional public administrations across the European Union. The webinar will be an open debate building on a presentation of the Enablor benchmarking platform from I-Trust and how it is used in practice by a public administration on its path to NIS2 compliance, a demonstration of how Microsoft Co-Pilot can be used to effectively explore the assessment questions and an open panel discussion with the presenters and the audience. The webinar will help public administrations master the growing challenge of achieving NIS2 compliance through benchmarking, simple AI and peer-to-peer knowledge sharing.

Project “VAUBAN” – 2024 Multi-ISAC Tabletop

You might remember that our City ISAC is a founding member of the EU Council of ISACs where we have many EU ISAC members from sectors like health, energy, finance, water, energy etc. As part of the work with the EU Council of ISACs we are also building out our relationship with ENISA. ENISA is planning a face-to-face Multi-ISAC event in October and we, the City ISAC, may have an opportunity to run a 90 minute tabletop with many ISACs in the room plus a wide range of ENISA representatives.

After some first discussions with colleagues that regularly support the annual NATO LockedShields exercise the basic evolving scenario concerns a leading smart city in a country which has just decided to supply a third nation with some advanced military equipment to help defend itself against an aggressor. That aggressor has decided to contract a major third-party threat actor to “teach that nation a lesson”. The audience will be tasked to “bring the city to its knees” and find the “optimum” constellation of services to disable. An interesting aspect will be the discovering of external service delivery concentration and why being “smart” is not always the best way forward. The exercise will address all NIS2 domains. Stay tuned!

Project “Regions4Cyber”

CRR Community Webinar: “From Security to Resilience: A look at digital resilience of local and regional authorities (LRAs) across Europe”, 22nd May 2024, 10:00-11:30 CET.

ECSO, with Tuscany Region,  Major Cities of Europe and EU City ISAC I4C+, would like to invite you to its 2^nd webinar of its Cyber Resilient Regions (CRR) Community, with the topic: “From Security to Resilience: A look at digital resilience of local and regional authorities (LRAs) across Europe”. The webinar will take place on the 22^nd of May, from 10am to 11:30am (CEST).

The webinar will focus on understanding digital resilience with a look at challenges and opportunities and the involvement of the Committee of Regions (CoR) and a broad EU audience, to foster discussion at the local/regional, national and European perspective.

The webinar will consist of a Keynote presentation by with guest speaker MEP Pehr Granfalk, rapporteur of the Committee of Region’s (CDR 2191/2023) – EU Cyber Solidarity Act and Digital Resilience Paper, followed by a panel discussion moderated by Gianluca Vannuccini, CIO of Tuscany Region.

Programme:

10:00 – 10:05    Welcoming remarks by ECSO
10:05 – 10:20    Keynote Presentation by Pehr Granfalk (MEP and member of the CoR), rapporteur to the CoR’s (CDR 2191/2023) – EU Cyber Solidarity Act and Digital Resilience paper.
10:20 – 10:25    Q&A
10:25 – 11:25    Panel: “From Security to Resilience: A look at digital resilience of local and regional authorities (LRAs) across Europe” moderated by Gianluca Vannuccini (CIO, Tuscany Region), with the panellists: Pehr Granfalk (Member of the CoR and second Vice-Chair of ECON), Luca Nicoletti (Executive, ACN – Agenzia per la Cybersicurezza Nazionale), Cliff Dean (CIO, North Keteven District Council, UK), (more panellists to be confirmed).
11:25 – 11:30    Closing remarks by ECSO 

You can find the link to register to the Webinar here.

The Cyber Resilient Regions Community (CRR) initiative aims to build a European community of Local and Regional Authority’s (LRAs) that have a desire to increase their digital resilience. It will engage LRA’s Chief Information Security Officers (CISOs) and related roles, and IT or security specialists that have cybersecurity responsibilities into a community that aims to increase LRAs cybersecurity resilience. Surveys, events, chats with experts and peers are among the activities promoted within the CRR initiative. 

Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.

Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/.  Do follow us / join.

Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.

Thank you for the support, your City ISAC I4C+ Team.

Cheers and ever onwards

Oliver

Innovating our Future… Together

Chair City ISAC I4C+ / Dr. Oliver Schwabe.

Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/